​ What is Cloud Compu​ting?​​

Over the past decade, Cloud Computing has become a critical alternative of IT resources for organizations Worldwide. The world is witnessing an increase in infrastructure services and software that mainly support cloud services. Cloud computing services offer you several advantages in addition to security and protection, mainly Disaster Recovery (DR). Storing of data in the cloud makes it always available without any impact on any factors affecting your existing devices such as PCs, mobile phone and servers as power outages or natural disasters do not affect your important data. Cloud computing services also provide very high levels of accessibility and DR capability as long as there is a reliable connection. Furthermore, cloud computing provides you with speedy access to your data or applications from any place and at any time with high flexibility in determining and allocating access levels as per accounts, which enhances efficiency and productivity. ​

Cloud Computing is a model that provides easy and on-demand network access to a shared set of configurable computing resources such as networks, servers, storage, applications and software services that can be made available and launched rapidly with minimal management effort or human interaction with the service provider. Cloud Computing consists of five main characteristics, three service models, and four deployment models.

Dig​ital Economy

iconCloud Computing plays a crucial role in shaping the new digital economy. Competition in this field contributes to facilitating regulations, which will encourage innovation and help create a better digital system for partners, companies and beneficiaries. Covid-19 pandemic has also contributed to accelerating the global trend towards digital transformation and use of data, indicating that Cloud Computing today has become an essential enabler for a range of new technology services and solutions, including artificial intelligence, blockchain, coding, augmented /virtual reality, etc...

What the key characteristics of cloud computing are?

Cloud computing leverages several elements including scale, virtualization, resilience, cost efficiency, service orientation, agility, etc. These elements are combined under National Institute of Standards and Technology (NIST) definition into five key characteristics: ​​

1.  On-demand self-service: Unilateral provisioning of computing capabilities, such as server time and network storage, provisioned by the end-user, without human interaction with each service provider.​

2.  Broad network access: Availability of capabilities over the network with accessibility through standard mechanisms that promotes usage by the consumer through different platforms (e.g. phones, laptops and PCs).

Resource pooling: ​ Pooled computing resources to serve multiple consumers using a multi-tenant model, with different physical and virtual resources assigned and re-assigned based on demand. There is a degree of location independence, the customer may be able to specify location at a higher level of abstraction (e.g. country, state, or datacenter) but not the exact location of the provided resources. Examples of resources include storage, processing, memory, network bandwidth and virtual machines.

Rapid elasticity: ​ Rapid and elastic provision of capabilities to quickly scale resources up and down – this is done in some cases automatically. To the consumer, capabilities available for provisioning are often (almost) unlimited and can be purchased in any quantity at any time.

Measured service: ​ Automatic controlled and optimized resources are used by leveraging a metering capability at some level of abstraction, appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.

Service Models​   

Cloud computing, in its core, offers three different service models, which provide applications, platforms and infrastructure as a service. These service models (illustrated in Figure 1) provide some or all the IT support necessary to deploy an IT solution.


Software as a Service (SaaS):

The capability provided to the consumer is to use the Cloud Service Provider’s (CSP's) applications running on a cloud platform and infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g. web-based email). The consumer does not manage or control the underlying cloud platform and infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Examples may include, but are not limited to: 

• Government applications 

• Internet services 

• Virtual desktops 

• Enterprise Resource Planning (ERP) systems 

• Customer Relationship Management (CRM) systems 

• Communication software (email, instant messaging) 

Platform as a Service (PaaS): ​​

The capability provided to the consumer is to deploy onto the cloud infrastructure of the CSP consumer-created or acquired applications, these applications are created using programming languages and tools supported by the CSP. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Examples may include, but are not limited to: 

• Application development 

• Database and database management (DBMS) 

• Middleware (Web MQ, WebSphere, etc.) 

• Testing and developer tools 

• Directory Services ​​

Infrastructure as a Service (IaaS): ​

The capability provided to the consumer is to provision processing, storage, networks and other fundamental computing resources. It’s up to the consumer to decide what software is deployed and operated, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control on selection of networking components (e.g. firewalls). Examples may include, but are not limited to: • Mainframes • Mid-tier Servers • Storage • IT Facilities/Hosting Services • Virtual Machines ​

Depending on ​the selected service model, users of the Cloud services will outsource certain portions of the IT value chain to the CSP. Figure 1 provides an overview of the scope covered by each service model. For instance, in the Software as a Service (SaaS) model, the CSP will provide a software application targeted towards end-user software clients, available via Cloud. As part of this offering, the CSP will cover the platform infrastructure, database management systems, libraries, software-processing tools and other test tools needed for applications development and implementation. Additionally, CSP will provide physical infrastructure, which typically includes the facility layer (heating, ventilation, power, etc.) and hardware layer (servers, storage, network components, etc.), as well as the virtualized infrastructure layer that includes software elements (hypervisor, virtual machines, and virtual data storage) that are used to realize the infrastructure upon which the Cloud computing platform can be established. Similarly, the Platform as a Service (PaaS) model covers the platform architecture layers as well as the infrastructure layer, both the physical and the virtualized one. As for Infrastructure as a Service (IaaS), CSP will provide the virtualized and the physical infrastructure layers alike.

Deployment Models


Cloud computing has three primary deployment models; as most countries adopt a combination of these three models. Each of these deployment models can offer the different service models explained above, the main difference lies primarily in the level of control and ownership the CSP assumes versus the ownership of the user (consumer).

1. Public Cloud:

The cloud infrastructure is provisioned for open use by a variety of entities. It may be owned, managed, and operated by a business, academic, or government organization, or a combination of these. It exists on the premises of the cloud provider. Public Cloud is typically served by global players (e.g. AWS, Google Cloud, and Microsoft Azure) as well as by local players (e.g. local telecom and ICT players). CSP guarantees SLAs/Uptime and manages the copying of data. This model offers a “plug and play” model, which allows for faster timelines for deployment of new solutions.

2. Private Cloud:
The cloud infrastructure is provisioned for exclusive use by a single organization comprising of multiple users (e.g. divisions, departments and business units). It may be owned, managed, and operated by the organization and/or a third party (e.g. a CSP). The physical location may be on or off premise. There are no guarantees on SLAs/Uptime and copying of data is managed by the entity itself. Solutions development on private Clouds typically consume more time as all the deployment and testing needs to be done in-house. A common example of private cloud computing in the public sector is a cloud-computing platform owned by a government entity that typically serves that organization or a specific group of entities.​​

3. Community Cloud: 
The cloud infrastructure is made available for exclusive use by a specific group of consumers from organizations that have shared/aligned interests (e.g., organization missions, cyber security requirements, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community and/or a third party. The physical location may be on or off premise. The CSP guarantees the SLAs/Uptime and manages the copying of data. This model offers a “plug and play” model, which allows for faster timelines for deployment of new solutions. A common form of community Cloud for the Public sector is a Government-owned community Cloud, which is often cited as “G-Cloud” or “Gov-Cloud”. This is a Cloud typically fully owned by a Government, and provisioned for the exclusive use of Governmental entities. A Governmental entity and/or a third party (e.g. a CSP) could do operations for this Cloud. It is typically located inside the country, mainly to protect data sovereignty.
4. Hybrid Cloud: ​
The cloud infrastructure is a composition of two or more distinct cloud infrastructures (Private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g. transforming the private cloud platform into a public one for balancing the load between clouds).​​​

Cloud Comp​uting Shared Responsibility Model

While considering and evaluating public cloud services, it is necessary to understand the shared responsibility model, security tasks that the cloud service provider handles, and tasks that the user handles. Workload responsibilities vary depending on whether the workload is hosted on a Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) or on-premises data center (Hosting). The following diagram shows areas of responsibility between the client and the cloud service provider according to the type of cloud service model. ​

    ​CST’s Role ​

The Kingdom is one of the first countries to adopt specific regulations and regulatory frameworks for cloud computing service providers, which aim to encourage the public and private sectors to adopt cloud computing services instead of traditional IT solutions. CST’s role is to regulate the telecommunications and information technology sector in the Kingdom by implementing the approved policies, regulations, and programs for developing information technology and emerging technologies, laying down appropriate procedures, proposing and amending regulations related to information technology and emerging technologies and getting the same approved by the competent authorities, in addition to enabling and ensuring a fair competitive environment in the market and issuing necessary licenses in accordance with the relevant terms and regulations. CST seeks to provide the appropriate environment to attract local and international investors, localize cloud computing services, stimulate reliance on CSTsolutions and technologies in the Kingdom in order to raise the level of performance, productivity, flexibility and quality of services for all beneficiaries in the Kingdom. ​


In case of any inquiries with respect to Cloud Computing Regulations in the Kingdom of Saudi Arabia and CST- registered service providers, kindly contact us at cloudcomp@citc.gov.sa. ​​